Where Are Rootkits At These Days?

This site may earn affiliate commissions from the links on this page. Terms of use.

7% of all malware infections are by rootkits, according to research by Microsoft described in a blog from the Microsoft Malware Protection Center..

A rootkit is a special form of malware that installs itself at a very low level of the system, below the operating system in some ways, in order to fool the operating system. It intercepts operating system calls in order to hide itself from users and anti-malware tools. Finding them is tough.

Alureon alone accounted for more than 60% of all rootkit reports. Cutwail showed respectable numbers, Rustock and Hupigon were noticeable, and the rest are small potatoes.

If you look at threats that tried to run and were blocked, the list is different, with Rustock and Bagle comprising the lion's share.

The blog goes on to discuss the file names that rootkits use (mostly .SYS) and the directory locations they choose (%system%\drivers is #1).

It by looking at how rootkits work, by messing with the kernel in fundamental ways, that you understand why Microsoft made the important security changes they made in 64-bit Windows: All kernel-mode code has to be code-signed by a certificate issued by a trusted certificate authority. Kernel Patch Protection (a.k.a. PatchGuard) monitors certain key memory structures belonging to Windows to see if they have been changed; if they have, it shuts the system down.

Rootkits in the future, which is undoubtedly a 64-bit Windows future, will have a much harder job to do. It may be so hard that malware writers will work on other things instead.